PA-DSS

Last updated

The Payment Application Data Security Standard (PA-DSS) is the global security standard created by the Payment Card Industry Security Standards Council (PCI SSC). [1] PA-DSS was implemented in an effort to provide the definitive data standard for software vendors that develop payment applications. The standard aimed to prevent developed payment applications for third parties from storing prohibited secure data including magnetic stripe, CVV2, or PIN. In that process, the standard also dictates that software vendors develop payment applications that are compliant with the Payment Card Industry Data Security Standards (PCI DSS).

Contents

Ultimately the PA-DSS was retired in late 2022, though existing implementations using PA-DSS applications do not necessarily lose their compliance status. [2] The PCI Council since established a new software validation program, the PCI Software Security Framework.

Requirements

For a payment application to be deemed PA-DSS compliant, software vendors must ensure that their software includes the following fourteen protections: [3]

  1. Do not retain full track data, card verification code or value (CAV2, CID, CVC2, CVV2), or PIN block data.
  2. Protect stored cardholder data.
  3. Provide secure authentication features.
  4. Log payment application activity.
  5. Develop secure payment applications.
  6. Protect wireless transmissions.
  7. Test payment applications to address vulnerabilities and maintain payment application updates.
  8. Facilitate secure network implementation.
  9. Cardholder data must never be stored on a server connected to the Internet.
  10. Facilitate secure remote access to payment application.
  11. Encrypt sensitive traffic over public networks.
  12. Secure all non-console administrative access.
  13. Maintain a PA-DSS Implementation Guide for customers, resellers, and integrators.
  14. Assign PA-DSS responsibilities for personnel, and maintain training programs for personnel, customers, resellers, and integrators.

Governance and enforcement

PCI SSC has compiled a list of payment applications that have been validated as PA-DSS compliant, with the list updated to reflect compliant payment applications as they are developed. Creation and enforcement of these standards currently rests with PCI SSC via Payment Application-Qualified Security Assessors (PA-QSA). PA-QSAs conduct payment application reviews that help software vendors ensure that applications are compliant with PCI standards.

History

Governed originally by Visa Inc., under the PABP moniker, PA-DSS was launched on April 15, 2008 and updated on October 15, 2008. PA-DSS then became retroactively distinguished as "version 1.1" [4] and "version 1.2". [5]

In October 2009, PA-DSS v1.2.1 was released with three noted changes: [3]

  1. Under “Scope of PA-DSS,” align content with the PA-DSS Program Guide, v1.2.1, to clarify applications to which PA-DSS applies.
  2. Under Laboratory Requirement 6, corrected spelling of “OWASP.”
  3. In the Attestation of Validation, Part 2a, update “Payment Application Functionality” to be consistent with the application types listed in the PA-DSS Program Guide, and clarify annual re-validation procedures in Part 3b.

In October 2010, PA-DSS 2.0 was released, [6] indicating: Update and implement minor changes from v1.2.1 and align with new PCI DSS v2.0. For details, please see PA-DSS – Summary of Changes from PA-DSS Version 1.2.1 to 2.0.

In November 2013, PA-DSS 3.0 was released, [7] indicating: Update from PA-DSS v2. For details of changes, please see PA-DSS – Summary of Changes from PA-DSS Version 2.0 to 3.0. [8]

In May 2015, PA-DSS 3.1 was released [3] indicating:Update from PA-DSS v3.0. See PA-DSS – Summary of Changes from PA-DSS Version 3.0 to 3.1 for details of changes. [9]

In May 2016, version 3.2 of the PA-DSS Program Guide and Standards were released. [10] [11] For details, see Summary of Changes from PA-DSS Version 3.1 to 3.2. [12]

Supplemental information

The PCI SSC has published additional materials that further clarify PA-DSS, including the following:

Related Research Articles

<span class="mw-page-title-main">Tokenization (data security)</span> Concept in data security

Tokenization, when applied to data security, is the process of substituting a sensitive data element with a non-sensitive equivalent, referred to as a token, that has no intrinsic or exploitable meaning or value. The token is a reference that maps back to the sensitive data through a tokenization system. The mapping from original data to a token uses methods that render tokens infeasible to reverse in the absence of the tokenization system, for example using tokens created from random numbers. A one-way cryptographic function is used to convert the original data into tokens, making it difficult to recreate the original data without obtaining entry to the tokenization system's resources. To deliver such services, the system maintains a vault database of tokens that are connected to the corresponding sensitive data. Protecting the system vault is vital to the system, and improved processes must be put in place to offer database integrity and physical security.

The Open Worldwide Application Security Project (OWASP) is an online community that produces freely available articles, methodologies, documentation, tools, and technologies in the fields of IoT, system software and web application security. The OWASP provides free and open resources. It is led by a non-profit called The OWASP Foundation. The OWASP Top 10 - 2021 is the published result of recent research based on comprehensive data compiled from over 40 partner organizations.

Information security standards or cyber security standards are techniques generally outlined in published materials that attempt to protect the cyber environment of a user or organization. This environment includes users themselves, networks, devices, all software, processes, information in storage or transit, applications, services, and systems that can be connected directly or indirectly to networks.

The Payment Card Industry Data Security Standard is an information security standard used to handle credit cards from major card brands. The standard is administered by the Payment Card Industry Security Standards Council, and its use is mandated by the card brands. It was created to better control cardholder data and reduce credit card fraud. Validation of compliance is performed annually or quarterly with a method suited to the volume of transactions:

The payment card industry (PCI) denotes the debit, credit, prepaid, e-purse, ATM, and POS cards and associated businesses.

The Payment Card Industry Security Standards Council was formed by American Express, Discover Financial Services, JCB International, MasterCard and Visa Inc. on September 7, 2006, with the goal of managing the ongoing evolution of the Payment Card Industry Data Security Standard.

Certified Payment-Card Industry Security Manager(CPISM) is an independent payments industry certification governed by the Society of Payment Security Professionals (commonly known as the SPSP). The CPISM is the de facto certification for payment security professionals. This certification is held by members from diverse backgrounds including Level 1 - 4 Merchants, Acquirers, Issuers, QSAs, Processors, Gateways, Service Providers, and Consultants. All CPISM holders are members of the SPSP.

Qualified Security Assessor (QSA) is a designation conferred by the PCI Security Standards Council to those individuals that meet specific information security education requirements, have taken the appropriate training from the PCI Security Standards Council, are employees of a Qualified Security Assessor (QSA) company approved PCI security and auditing firm, and will be performing PCI compliance assessments as they relate to the protection of credit card data.

HP Application Security Center (ASC) was a set of technology solutions by HP Software Division. Much of the portfolio for this solution suite came from HP's acquisition of SPI Dynamics. The software solutions enabled developers, quality assurance (QA) teams and security experts to conduct web application security testing and remediation. The security products have been repackaged as enterprise security products from the HP Enterprise Security Products business in the HP Software Division.

Certified Payment-Card Industry Security Auditor(CPISA) is an independent payments industry certification governed by the Society of Payment Security Professionals (commonly known as the SPSP). The CPISA focuses on information technology, information security, and auditing knowledge and skills. This certification is held by members from diverse backgrounds including Level 1 - 4 Merchants, Acquirers, Issuers, QSAs, Processors, Gateways, Service Providers, Consultants, and Auditors. All CPISA holders are members of the SPSP and also hold the CPISM certification.

<span class="mw-page-title-main">Linoma Software</span>

Linoma Software was a developer of secure managed file transfer and IBM i software solutions. The company was acquired by HelpSystems in June 2016. Mid-sized companies, large enterprises and government entities use Linoma's software products to protect sensitive data and comply with data security regulations such as PCI DSS, HIPAA/HITECH, SOX, GLBA and state privacy laws. Linoma's software runs on a variety of platforms including Windows, Linux, UNIX, IBM i, AIX, Solaris, HP-UX and Mac OS X.

GlobalScape, Inc. (AMEX:GSB) is a software developer headquartered in San Antonio, Texas, United States.

Host Based Security System (HBSS) is the official name given to the United States Department of Defense (DOD) commercial off-the-shelf (COTS) suite of software applications used within the DOD to monitor, detect, and defend the DOD computer networks and systems. The Enterprise-wide Information Assurance and computer Network Defense Solutions Steering Group (ESSG) sponsored the acquisition of the HBSS System for use within the DOD Enterprise Network. HBSS is deployed on both the Non-Classified Internet Protocol Routed Network (NIPRNet) and Secret Internet Protocol Routed Network (SIPRNet) networks, with priority given to installing it on the NIPRNet. HBSS is based on McAfee, Inc's ePolicy Orchestrator (ePO) and other McAfee point product security applications such as Host Intrusion Prevention System (HIPS).

Ukrainian Processing Center is a Ukrainian company founded in 1997 which provides processing services and software for banks. UPC was the first Ukrainian company within the sphere of processing that received MSP and TPP status in Visa and Mastercard. In April 1997 UPC processed the first ATM EC/MC card transaction. Since 2005 UPC has become part of the Raiffeisen Bank International. The head office of UPC is based in Kyiv. Ukrainian Processing Center provides services to banks in Central and East Europe in the sphere of processing payment cards, merchant acquiring and ATM channel management. UPC also offers integrated IT systems for electronic commerce, card transactions monitoring systems of fraud prevention, card issuing system and SMS banking service. Moreover, UPC was the initiator of the establishment of the united ATM network "ATMoSphere", which consists of payment cards issuing banks. Annually UPC processes more than 400 million of payment card transactions.

File integrity monitoring (FIM) is an internal control or process that performs the act of validating the integrity of operating system and application software files using a verification method between the current file state and a known, good baseline. This comparison method often involves calculating a known cryptographic checksum of the file's original baseline and comparing with the calculated checksum of the current state of the file. Other file attributes can also be used to monitor integrity.

Perspecsys Inc. is a cloud computing security company Founded by Terry and Lynda Woloszyn, on July 6 2006 that provides cloud data protection software. Perspecsys has offices in the Toronto area; Tysons Corner, Virginia; San Francisco, California; London, England; Paris, France; and Berlin, Germany.

Venafi, Inc. is a privately held cybersecurity company that develops software to secure and protect cryptographic keys and digital certificates. Its enterprise key and certificate management and security products are certificate authority (CA) independent and manage security instruments such as Transport Layer Security (TLS) digital certificates and Secure Shell (SSH) keys. Venafi does not sell encryption and it is not a certificate authority.

A web application firewall (WAF) is a specific form of application firewall that filters, monitors, and blocks HTTP traffic to and from a web service. By inspecting HTTP traffic, it can prevent attacks exploiting a web application's known vulnerabilities, such as SQL injection, cross-site scripting (XSS), file inclusion, and improper system configuration. They can introduce a performance degradation without proper configuration and tuning from Cyber Security specialist. However, most of the major financial institutions utilize WAFs to help in the mitigation of web application 'zero-day' vulnerabilities, as well as hard to patch bugs or weaknesses through custom attack signature strings.

Point-to-point encryption (P2PE) is a standard established by the PCI Security Standards Council. Payment solutions that offer similar encryption but do not meet the P2PE standard are referred to as end-to-end encryption (E2EE) solutions. The objective of P2PE and E2EE is to provide a payment security solution that instantaneously converts confidential payment card data and information into indecipherable code at the time the card is swiped, in order to prevent hacking and fraud. It is designed to maximize the security of payment card transactions in an increasingly complex regulatory environment.

Certified Payment-Card Industry Security Implementer (CPISI) is a certification in the field of Payment Card Industry Data Security Standard.

References

  1. PCI Security Standards Council
  2. PCI Security Standards Council
  3. 1 2 3 "Requirements and Security Assessment Procedures Version 3.1" (PDF). Retrieved 27 January 2016.
  4. "Payment Application Data Security Standard (PA-DSS) V1.1". PCI Security Standards Council. Archived from the original on 2010-08-02.
  5. "Payment Application Data Security Standard (PA-DSS) V1.2". PCI Security Standards Council. Archived from the original on 2010-08-02.
  6. "Payment Card Industry (PCI) Payment Application Data Security Standard Requirements and Security Assessment Procedures: Version 2.0" (PDF). PCI Security Standards Council. Retrieved 2017-04-22.
  7. "Payment Card Industry (PCI) Payment Application Data Security Standard: Requirements and Security Assessment Procedures: Version 3.0" (PDF). PCI Security Standards Council. Retrieved 2017-04-22.
  8. Summary of Changes from PA-DSS Version 2.0 to 3.0
  9. 1 2 Summary of Changes from PA-DSS Version 3.0 to 3.1
  10. "Payment Card Industry (PCI) Payment Application Data Security Standard (PA-DSS) v3.2: Program Guide" (PDF). PCI Security Standards Council. May 2016. Retrieved 2017-04-22.
  11. "Payment Card Industry (PCI) Payment Application Data Security Standard: Requirements and Security Assessment Procedures: Version 3.2" (PDF). PCI Security Standards Council. Retrieved 2017-04-22.
  12. "Official PCI Security Standards Council Site - Verify PCI Compliance, Download Data Security and Credit Card Security Standards" (PDF). www.pcisecuritystandards.org. Retrieved 2017-04-22.
  13. PA-DSS Requirements and Security Assessment Procedures v1.2.1
  14. PA-DSS Requirements and Security Assessment Procedures v2.0
  15. PA-DSS Requirements and Security Assessment Procedures v3
  16. PA-DSS 3.2 Program Guide